The threat landscape facing organisations is growing more complex as fraudsters employ the latest advances in technology to achieve their goals. Organisations themselves are also adopting new technologies to drive revenues. This arms race is one that they cannot afford not to take part in. Both the fraudsters and the organisations themselves are adopting new technologies, approaches and paradigms. Risk Managers now also have an opportunity to play a part in the process by implementing AI-driven Anti-Fraud Solutions.
Risk management is defined in a number of ways, but the goal is the same: to maximise the realisation of objectives. Existing risk management systems based on static rules are no longer capable of lowering both false positive and false negative rates. Faced with the choice between high chargeback levels or high levels of declined transactions and manual reviews Risk Managers must follow the example set by the fraudsters by using the latest technology to reduce chargebacks, manual reviews and declined transactions.
The risk management model has always focused on complex calculations and static rules. The application of AI offers the possibility to draw on large datasets using models that evolve and keep the system one step ahead of the fraudsters. The risk management function currently uses systems designed on rules to monitor transactions leading to alerts, manual reviews or denials. Risk Managers use rules and thresholds to set these alerts and tuning these takes a great deal of time and effort.
Static rules based systems present challenges. The first of these are the false alerts generated by existing systems. Settings that are too sensitive mean more manual reviews and declined transactions. If the settings are not sensitive enough, then chargebacks will increase. Static rules based systems create alert fatigue as systems are tuned to ever more conservative levels. When alert fatigue sets in operators expect false alerts, miss genuine frauds and allow these transactions to proceed. Every transaction that is sent for manual review comes at the expense of the user experience and risks losing not only that purchase but also future purchases.
Comprehensive risk management uses real-time and historical data but the limitations of static rules stem from the fact that the rules are defined by humans. Humans are good at interpreting simple patterns but have limitations when it comes to complex patterns. The solution is to deploy AI based systems to decipher complex attack patterns.
The next challenge is that static rules based systems do not change unless they are reprogrammed by the risk team who are already overworked because of the alerts generated by the system. AI based systems automate this process by learning and using this knowledge to update the system rules. Static systems simply do not evolve at a rate to match the threats and business objectives leading to more chargebacks and more manual reviews.
By using AI anti-fraud systems organisations can use transactional and historical data and enrich this with external feeds. The Nethone anti-fraud solution, for instance, gathers, at a minimum, over 3000 data points. Alongside this high-quality data, a customized machine learning solution is created and deployed for each organisation. The creation of these machine learning models requires both technical and business expertise. Instead of deploying static rules that lead to labour intensive manual reviews, AI based systems can prevent fraud in real time by employing models capable of identifying the most advanced fraud attempts without affecting genuine customers.
Using thousands of data points for each transaction verification machine learning can exclude the use of static rules. AI based systems learn continuously and are not bound by a list of fixed rules. Machine learning models automatically adapt to the changing business landscape, recognize regularities and anomalies, become more and more effective with each new analysis being carried out.
Fraudsters are embracing the latest technologies and to keep one step ahead Risk Managers need to adopt the new – immediately.
As a former PCI SCC Qualified Security Assessor (QSA) Gareth has worked with clients across multiple verticals. He brings a global perspective and with experience in security, compliance and incident response he has assisted executives at leading international companies meet their Information Security challenges.